Teach you to using strace to find the ssh Backdoor-vulnerability warning-the black bar safety net

2009-08-02T00:00:00
ID MYHACK58:62200924109
Type myhack58
Reporter 佚名
Modified 2009-08-02T00:00:00

Description

First of all, I first compile a ssh back door, this ssh Backdoor in/tmp/xxxxxx record all of the login password

Start him

QUOTE: root@laptop:/usr/local/openssh2/sbin# ps aux | grep sshd root 1 3 6 1 9 0.0 0.3 7 4 3 2 1 7 5 2 ? Ss 2 3:4 4 0:0 0 ./ sshd-p 1 2 3 4 root 1 3 7 0 7 0.0 0.2 4 2 9 2 1 3 2 8 pts/3 R+ 2 3:5 8 0:0 0 grep sshd

Here we use the strace trace out the pid bits 1 3 6 1 9 the ssh process, which-ff parameter is very important, you can track the fork the child processes.

QUOTE: root@laptop:/usr/local/openssh2/sbin# strace-o aa-ff-p 1 3 6 1 9

Then we login with ssh, after a successful login, we look at the current directory, to generate a strace output

QUOTE: root@laptop:/usr/local/openssh2/sbin# ls aa aa. 1 3 6 3 6 aa. 1 3 6 3 8 aa. 1 3 6 4 0 aa. 1 3 6 4 2 aa. 1 3 6 4 4 aa. 1 3 6 4 6 aa. 1 3 6 4 8 aa. 1 3 6 5 0 aa. 1 3 6 5 2 aa. 1 3 6 5 4 aa. 1 3 6 5 6 sshd aa. 1 3 6 3 5 aa. 1 3 6 3 7 aa. 1 3 6 3 9 aa. 1 3 6 4 1 aa. 1 3 6 4 3 aa. 1 3 6 4 5 aa. 1 3 6 4 7 aa. 1 3 6 4 9 aa. 1 3 6 5 1 aa. 1 3 6 5 3 aa. 1 3 6 5 5 aa. 1 3 6 5 7 We grep it out of the open system call, and then filter out the wrong information and/dev/null information, as well as denied information, and find the WR is a read-write mode open, because you want to record the password written to the file, for sure if in the write mode of the opened file, roughly of look at, it is easy to find the exception file/tmp/xxxxxx

QUOTE: root@laptop:/usr/local/openssh2/sbin# grep open aa* | grep-v-e No-e null-e denied| grep WR aa. 1 3 6 3 5:open("/tmp/xxxxxx", O_WRONLY|O_APPEND|O_CREAT|O_LARGEFILE, 0 6 6 6) = 3 aa. 1 3 6 3 5:open("/dev/ptmx", O_RDWR) = 3 aa. 1 3 6 3 5:open("/dev/pts/5", O_RDWR|O_NOCTTY) = 6 aa. 1 3 6 3 5:open("/var/run/utmp", O_RDWR) = 7 aa. 1 3 6 3 5:open("/var/log/wtmp", O_WRONLY) = 7 aa. 1 3 6 3 5:open("/var/log/lastlog", O_RDWR|O_CREAT|O_LARGEFILE, 0 2 0 0 0) = 7 aa. 1 3 6 3 5:open("/var/run/utmp", O_RDWR) = 6 aa. 1 3 6 3 5:open("/var/log/wtmp", O_WRONLY) = 6 aa. 1 3 6 3 8:open("/dev/pts/5", O_RDWR|O_LARGEFILE) = 7 aa. 1 3 6 3 8:open("/dev/tty", O_WRONLY|O_LARGEFILE) = 8 aa. 1 3 6 3 8:open("/dev/tty", O_RDWR|O_NONBLOCK|O_LARGEFILE) = 3 aa. 1 3 6 4 0:open("/dev/tty", O_RDWR|O_NONBLOCK|O_LARGEFILE) = 3 aa. 1 3 6 5 7:open("/dev/tty", O_RDWR) = 3 By the above method, we can roughly diagnose what our sshd is being put out the back door, but because the sshd back door is varied, the above I said to the sshd back door is a relatively good one, he can set whether to record the password, if set not to record the password, so we use strace is estimated to be found within him, but there are still some ssh Backdoor with a special configuration file, read the special password file, which we use strace is very easy to find them. You see, you know? I'm only on the second read